vistit https://plex.domain.tld and recieve a ssl certificate, see plex, log in and watch shows regardless if I am connected to my home network or not
vistit https://plex.tv and recieve plex.tv’s ssl certificate, see plex, log in and watch shows regardless if I am connected to my home network or not
watch via nvidia shield player latest version and local play
My docker container is operating properly and does not have any ports exposed. Any and all communication is through traefik.
env file has the $VARIABLES=VARIABLE set, and is pulled appropriatally. Tried enviroment variable ADVERTISE_IP=https://plex.$DOMAINNAME:443 along with ADVERTISE_IP=https://plex.myrealdomain.tld:443
These are my traefik configurations, everything works well.
Is there any reason the remote checker will turn green for half a second and then turn back red?
what you are experiencing is normal -
in that anyone I know that runs plex behind a reverse proxy (nginx or traefik) sees this same behavior (myself included).
Even though it shows as not available, it will work fine
Feb 26, 2021 23:01:38.897 [0x7fbd67fff700] ERROR - Error issuing curl_easy_perform(handle): 35
Feb 26, 2021 23:01:38.897 [0x7fbd67fff700] WARN - HTTP error requesting GET https://[my-ip-address].876292851871443b9e2c053f155d8f0a.plex.direct:443/identity (35, SSL connect error) (error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error)
Feb 26, 2021 23:02:18.115 [0x7fbd67fff700] WARN - NAT: PMP, got an error: Not Supported by gateway.
Feb 26, 2021 23:02:19.405 [0x7fbdc7fff700] ERROR - Caught exception trying to stream file: /usr/lib/plexmediaserver/Resources/Plug-ins-1b7748a7b/WebClient.bundle/Contents/Resources/js/chunk-4-ee31be69efcc7a98c9a6-plex-4.51.3-6ef4412.js: write: Broken pipe
Feb 26, 2021 23:02:20.371 [0x7fbd89ffb700] WARN - NAT: PMP, got an error: Not Supported by gateway.
Feb 26, 2021 23:02:20.372 [0x7fbd89ffb700] ERROR - Error issuing curl_easy_perform(handle): 3
Feb 26, 2021 23:02:20.372 [0x7fbd89ffb700] WARN - HTTP error requesting GET https://[my-ip-address].876292851871443b9e2c053f155d8f0a.plex.direct:0/identity (3, URL using bad/illegal format or missing URL) ()
Feb 26, 2021 23:02:24.644 [0x7fbd467fc700] INFO - AutoUpdate: no updates available
So I changed the port from :443 to :32400 and turned on verbose logging + debug logging.
Feb 26, 2021 23:20:32.452 [0x7fddacb03700] DEBUG - Completed: [192.168.50.1:53776] 200 GET /media/providers (21 live) TLS GZIP 1ms 3649 bytes (pipelined: 3)
Feb 26, 2021 23:20:32.689 [0x7fddacb03700] DEBUG - EventSource: Got event [data] '<Message address="[my-ip-address]" port="32400" asyncIdentifier="d4d36583-4d87-4c67-aa4f-017b2a821aae" connectivity="1" command="notifyConnectivity"/>'
Feb 26, 2021 23:20:32.690 [0x7fddacb03700] DEBUG - PubSub: Got notified of reachability for async identifier d4d36583-4d87-4c67-aa4f-017b2a821aae: 1 for [my-ip-address]:32400 (responded in 1336 ms)
It appears plex is ignoring my custom domains and trying to use the global plex cert. This causes an issue because on :443 I cannot serve this certificate as it is handled by my reverseproxy.
Maybe hthighway has a point, and this is a long-standing bug?
If not I can attempt to troubleshoot more.
If I buypass thre reverse proxy completly and use the custom cert
Ignore the username gentoo, this is a sane operating system.
I have checked all my certificates up down left and right.
The remote acsess checker (as I will have remote acsess) will show red if it goes through traefik but will show fine if plex goes through my domain but its own port.
This is what I am trying to fix, as I believe that although remote acsess now, since the tool is saying it is not working (even though it is) I believe it will soon stop working if something changes on plex’s end.
Is this a harmless known visual bug, or have others gotten the tool to go green inside a rproxy?
I have an existing Traefik v2 reverse proxy setup in place and I’m about to move my Plex server behind it as well.
@kingBen1993 thanks for posting your detailed config, it will be very useful. Do I need to generate custom certs from my acme.json or does did you find it made no difference in the end?
@ChuckPa I see you helped earlier on - did the logs help with identifying the problem? Do you know if Plex are looking into this by any chance please?
It made no difference for me whether I had it pointed to the certificate or not, it still worked*.
The asterisk is I don’t believe it works properly.
If the only ports exposed are the http and https I will still be able to watch on a remote machine without indirect play. That being said I’m still waiting on a staff members answer if the red not working under remote access is a visual bug or if I’m not passing a certain thing to my Plex server.
It says remote not working even though remote Play is possible and direct. I’d really like to know if that’s just a visual bug, or if a lot of services aren’t working and it’s going back to fall back mode.
I haven’t tried this after they updated the csrf because I haven’t gotten an answer if it’s a visual bug or if I need to add another traefik middleware. The enhanced csrf protection may have broken it.
I also have TLS 1.2 mandatory with specific ciphers. This breaks older Smart TVs. I only did this because my configuration gets an a+ in SSL labs, and I don’t have any other devices. You can use a looser configuration that allows TLS 1.0, TLS 1.1, and insecure ciphers on TLS 1.2. It really won’t make much of a difference, other than decryption of the traffic is possible but hard. if your ISP is already interested enough in you that it’s man in the Middle all of your traffic, you have significantly bigger problems to worry about.
That being said I’m really hoping staff can answer if it’s a visual bug or if I need to add a specific middleware.
As far as extracting the acme certificates, it was done pretty easily with a GitHub project I found. I used an online verifier to make sure that the private key and certificate were valid. Everything seems good to go. You might have to do a little bash magic to automate it as let’s encrypt only is valid for 90 days. If you want direct step by step instructions please let me know. @jarrah31 it’s fairly straightforward, however. You basically run the app against your acme cert and it spits out the certificates, then you point Plex at those certificates.
I’ve also tried posting on the traefik specific forums but I didn’t get any responses. I’m really at a loss if it’s a visual bug only or if my servers operating in fallback mode. Exposing a port isn’t a problem for the server but I’d like to keep everything on the HTTP and https ports.
I managed to get it all up and running on a new Docker instance yesterday, fronted via my Traefik v2 reverse proxy and direct play accessible via 443 from my parents Fire TV 4k Plex client.
I didn’t generate any certs in the end as it all seemed fine without them.
I did experience the same brief remotely accessible green message which then reverted to the red “Not available outside your network”. It would be nice to have the underlying issue fixed or at least explain why it’s happening though.
I’m using TLS 1.2 as well which gained an A+ in SSL labs (useful site that!).
I would like to have a look at that Githib project you mentioned please and the online verifier as they could be useful to bookmark. Thanks!
